feat: implement user authentication module

- Backend (FastAPI): - External API authentication (pj-auth-api.vercel.app) - JWT token validation with Redis session storage - RBAC with department isolation - User, Role, Department models with pjctrl_ prefix - Alembic migrations with project-specific version table - Complete test coverage (13 tests) - Frontend (React + Vite): - AuthContext for state management - Login page with error handling - Protected route component - Dashboard with user info display - OpenSpec: - 7 capability specs defined - add-user-auth change archived 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 23:41:37 +08:00
commit 1fda7da2c2
77 changed files with 6562 additions and 0 deletions
--- a/backend/app/core/security.py
+++ b/backend/app/core/security.py
@@ -0,0 +1,82 @@
+from datetime import datetime, timedelta
+from typing import Optional, Any
+from jose import jwt, JWTError
+from app.core.config import settings
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """
+    Create a JWT access token.
+
+    Args:
+        data: Data to encode in the token
+        expires_delta: Optional custom expiration time
+
+    Returns:
+        Encoded JWT token string
+    """
+    to_encode = data.copy()
+
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=settings.JWT_EXPIRE_MINUTES)
+
+    to_encode.update({"exp": expire, "iat": datetime.utcnow()})
+
+    encoded_jwt = jwt.encode(
+        to_encode,
+        settings.JWT_SECRET_KEY,
+        algorithm=settings.JWT_ALGORITHM
+    )
+    return encoded_jwt
+
+
+def decode_access_token(token: str) -> Optional[dict]:
+    """
+    Decode and verify a JWT access token.
+
+    Args:
+        token: The JWT token to decode
+
+    Returns:
+        Decoded token payload if valid, None if invalid or expired
+    """
+    try:
+        payload = jwt.decode(
+            token,
+            settings.JWT_SECRET_KEY,
+            algorithms=[settings.JWT_ALGORITHM]
+        )
+        return payload
+    except JWTError:
+        return None
+
+
+def create_token_payload(
+    user_id: str,
+    email: str,
+    role: str,
+    department_id: Optional[str],
+    is_system_admin: bool
+) -> dict:
+    """
+    Create a standardized token payload.
+
+    Args:
+        user_id: User's unique ID
+        email: User's email
+        role: User's role name
+        department_id: User's department ID (can be None)
+        is_system_admin: Whether user is a system admin
+
+    Returns:
+        dict: Token payload
+    """
+    return {
+        "sub": user_id,
+        "email": email,
+        "role": role,
+        "department_id": department_id,
+        "is_system_admin": is_system_admin,
+    }